Video transcript: Data in the public sector – Part 2: Practical steps
Title: Data in the public sector – An interview with the Government Chief Privacy Officer – Part 2: Practical steps
Karen Smith (Director, Research and Development, Office of the Auditor-General)
So we talked a bit earlier about when people or organisations should consider privacy, and you talked about, at the beginning, talk to your Privacy Officer, because all agencies have them. And one of my questions was, how do they practically… with not overburdening something I want to do. Because people, when I spoke to them, said, “No, it’s such a burden to talk about privacy.” That might be a bit of a barrier that’s a misconception. How do people do…
Russell Cooke (Government Chief Privacy Officer)
How do you do it at a practical level?
Karen
Yeah.
Russell
I think the first thing is the principles under the Privacy Act are actually pretty easy to read and actually pretty good things to start with. You don’t have to memorise them all, obviously. But if you thought about them as a series of questions, ask yourself those questions: “Why am I collecting this? Do I have the permission? Can I have it amended? Can I see it? can I correct it?” Those sorts of things. So I think they’re the basic places to start.
I think the other thing is always, at a practical level, go back to the why: why are you doing this? Are you wanting to collect this information because you think you might need it for a rainy day? Are you wanting to do this because you’re trying to solve cancer? So always go back to the first principle of why are you doing this, and then say, “Then what information do I need?” So a practical example: health information. So health information is very sensitive; actually, that probably is likely to lead to need to have really, really sensitive personal information. If you’re looking at, I don’t know, rubbish collection or something, well, that’s like to need personal information but more likely to need geographical information.
So, again, go back to the original purpose of, “What am I trying to achieve?” and then, “What’s the least personal amount of information I can possibly keep to do that?” and just stop and ask yourself that question. And, again, go ask your Privacy Officer. The other thing that Privacy Officers can do, as well, is they can give you good pointers and training, and access to those services which actually help you to understand that world better. We don’t want to create a world where every single person is a privacy expert. But what we would like to do is raise the awareness and consciousness of privacy at all levels. And I think that’s where the Privacy Officers really come to their own, because they can help you with, “Well, you want to learn about that – sure, we can show you how that works. We can give you the tools; we can give you access to training materials; we can give you access to other people.” So I think that’s actually probably a very practical first step as well.
Karen
I did hear – when out and having the discussions with people, especially around sharing and collaborating between agencies – that privacy was often said, “Oh no, it’s a problem because of privacy,” and it’s a barrier. And it kind of sounded like there were a bit of myths going in. Have you come across any myths or barriers, and what are they? Can you give us some examples?
Russell
Well, the biggest myth is, “I can’t share because of the Privacy Act.” And usually that stems from the fact that don’t understand what you can do within your legislation and with the Act. The other thing to remember is that the Privacy Act is subservient to other primary legislation. So, if you have your own legislation, that will override the Privacy Act. So it’s an important relationship between the two, that you need to be able to meet the rules of the Privacy Act, but your own legislation can override elements specifically. So the Tax Administration Act, for example, they can do that sort of thing.
So I think it’s really important that – and again, this refers to the privacy person in your legal teams – can start to understand how you navigate that landscape of those two areas. There is a lot of legislation out there; there’s a lot of codes, a lot of information sharing agreements. There’s a lot of MOUs and other mechanisms that exist today to allow information to be collected or shared, and shared legally and appropriately and fairly and ethically. But most people don’t understand those mechanisms exist, or they don’t know how to create those mechanisms, those levers or instruments, and they don’t know how to start. So, again, go back to your Privacy Officer, really. It’s the first thing.
Karen
Will they know how to do that?
Russell
They would know how to do that, yeah.
Karen
So, with an MOU, which is a memorandum of understanding between agencies. And I heard sometimes they can take years.
Russell
Yeah.
Karen
Is that still the case, or is that maybe historically gone by?
Russell
There are quite high thresholds to getting some of those things passed: information sharing agreements, AISAs – approved information sharing agreements. They do go through quite a lengthy process: a PCO, so they go through to Counsel. So there are fairly high barriers and they need to be signed off by ministers and all sorts of stuff as well. So they are fairly high barriers. But, in a lot of cases, some of the things that you want to do they may already have MOUs in place already, or agreements of some degree in place for that. And what obviously we try to do is work with the Privacy Commissioner and that and say, “Okay, what are those instruments that we can use?” The other ones that the Privacy Commissioner plays a role, they need to approve and agree those sharing agreements as well.
So that’s the other place to go as well, of course, is to go talk to the Privacy Commissioner about, “Well, what can I do? How can I do some of the sharing?” as well. And that’s a very, very big role for the Privacy Commissioner already. One of the key things is, if you want to share information, you want to create an authorised information sharing agreement, actually, also go talk to the Privacy Commissioner, because that’s one of the jobs they do is approve those, but also to review and establish the rules which they could operate within.
Karen
So it’s really important even to have the conversation.
Russell
Absolutely.
Karen
So to say, “Look.” Don’t try and muddle around. Not for me to sit and go at the desk, “How do I do this? I can’t do it, I can’t do it.” Just ring up, have a conversation.
Russell
Yeah, exactly. Ring up, have a conversation, yeah. That’s what they’re there for. They quite happily will take the referee hat off here, because, in this case, this is actually, “How can I help you to do it better?” We don’t want people to stumble at the first hurdle and go, “It’s too hard.” Help is at the end of a telephone; help’s at the end of an email. You can just contact them. You can contact the Privacy Officer; you can contact us, and we’ll help you. We’ll help you navigate that system; that’s what we’re all there for. And maybe what we needed to do is promote more about the avenues that you can go to, so it’s clearer for you to know, “Where do I go? Where do I start? Who do I call? Who do I talk to?” And I think maybe that’s really what we mean when we say, “Because the Privacy Act” – well, actually maybe it’s more of a, “I don’t know where I start.” So start with us; start with the Privacy Officer.
Karen
So, if people want to go somewhere for more information or to help improve their knowledge and understanding, is there a website or a place that has basic facts, or, “Go here?”
Russell
So two starting points and websites: I’d start with privacy.org.nz – that’s the Privacy Commissioner’s website – or our own one, which is under digital.govt.nz, so those are the two primary websites. You can email us at gcpo@dia.govt.nz and we can put you in the right direction.
Karen
So you’ve got your own email address?
Russell
Yeah, we do; we’ve got our own email address. Lucky us. And, again, anybody can email us. The public can email us. Government agencies, non-government agencies, they can all email us and contact us – we’re happy to help.
Title: Visit oag.govt.nz to read more about the Office's work.